[Mimedefang] Re: Great open letter about anti-virus, emails, bounces, etc.

Michael Sims michaels at crye-leike.com
Tue Sep 16 18:06:27 EDT 2003 

Matt Cramer wrote:
> On Mon, 15 Sep 2003, Michael Sims wrote:
>> I'm seriously considering setting up a blacklist like this where I
>> can tell relays with PTR records like...
>>
>> /ip.*\.suscom\.net/
>> /pcp.*\.comcast\.net/
>> /.*ppp.*\.tiscali\.no/
>> /([0-9]{1,3}-){3}[0-9]{1,3}\..*\.rr.com/
>> /([0-9]{1,3}-){3}[0-9]{1,3}\.client\.insightBB\.com/
>> /([0-9]{1,3}-){3}[0-9]{1,3}\.client\.attbi\.com/
>
> I understand why people do this (BTW there are RBLs of dynamic ranges
> so you can let someone else do the work for you and just use
> mimedefang to check the RBL)

I actually use one (dnsbl.njabl.org) and I tack on 3 points to the SA score
if I get a match.  Unfortunately it appears that njabl's dial-up list is
less than comprehensive, since I've only gotten a hit on it 80 times today.

> but it drives me nuts, because I run my
> personal domain off of my [dynamic] DSL line.  People can accept mail
> from whomever they choose, of course, but I am confident that *MY*
> mail server is as good if not better configured than the average
> ISP's.  If I send all my mail through the ISP's mail server, then I
> have to deal with their brain-dead configs, dropping mail, carnivore
> ;) etc. etc.

Let me go on record to say that I realize there are responsible mail
administrators who run mail servers on a dynamic/dial-up/residential IP
address.  That's the reason why, if I decide to do this, I will provide a
web form that will send an email to postmaster, and any legit relay can, if
they want to take the time to do it, inform me that they are legit and I
will immediately whitelist them.  But it has been my experience that a VAST
majority (I'm talking 99.99% percent) of all mail that comes from
dynamic/dial-up/residential IPs is direct-to-MX spam coming from 0wned
machines.  And it looks like the latest release version of SpamAssassin is
starting to lose its effectiveness, as the amount of spam slipping past my
filters is going up quite a bit here lately.  Most all of it has one thing
in common...the PTR record of the connecting relay matches one of the
patterns I posted above.  Somehow I get the feeling that LARTs sent to
abuse at 12-250-70-220.client.attbi.com will probably go unanswered. :)

Most likely I'll put a test rule into place in my mimedefang-filter and copy
any message I would have rejected to a shared IMAP folder.  After I have
about 2000 messages in there (should only take about an hour to reach that
number) I can scan them to see how many legit emails I see.  After I do that
I'll decide how to proceed.  At any rate I will build the web form because
I'm afraid some people wouldn't bother to pick up a phone, but would fill
out a form...

___________________________________________
Michael Sims
Project Analyst - Information Technology
Crye-Leike Realtors
Office: (901)758-5648  Pager: (901)769-3722
___________________________________________

More information about the MIMEDefang mailing list